By now all of you have heard about the tragic act of evil perpetrated last night on the Las Vegas Strip at the Route 91 concert. We wanted to wait to write to all of you until we had determined the status of our Shift4 family.

Visa recently published an alert warning merchants and acquirers of a new type of JavaScript-based malware that is specifically targeting merchants with e-commerce payment processing environments. As your neighborhood merchant advocate, we are passing this along to you. Here is what you need to know.

Shift4 founders Dave and Kathy Oder have officially entered their well-deserved “semi-retirement” and have handed over the day-to-day operations of the company. J.D. Oder II has been promoted to president and CTO and Stephanie Stowers has been promoted to executive vice president and COO. Please join us in congratulating these two hard-working visionaries who will lead Shift4 to continued success. Click here for official announcement.

If you use Shift4's test environment, Certify, then you should read this important message, as it contains important information that may impact your ability to run tests with Shift4. Certify is most often used by independent software vendors that supply point-of-sale and property management systems, as well as those merchants that own and operate their own systems.

A survey by Newtek Business Services, Inc., shows that 71% of small businesses do not know about EMV and how it applies to them. Are you included? If you run a small business, then we have a primer on what the October 2015 fraud liability shift means for you and how Shift4 is helping you reduce your fraud liability with EMV, and reduce your breach risk and PCI scope with True P2PE™ and TrueTokenization®.

Consumers don’t just love giving gift cards – they also love receiving them. According to the National Retail Federation, gift cards have been at the top of consumers’ wish lists for the past eight years in a row.

U.S. EMV is coming. Are you prepared? In the simplest terms, EMV is a special chip embedded on a credit or debit card that helps to prevent card-present fraud. The EMV chip prevents counterfeiting, skimming, and the use of lost or stolen credit or debit cards.

Shift4, provider of the world’s largest independent payment gateway, DOLLARS ON THE NET®, already processes EMV transactions in Canada and has the unique capability to be a force multiplier the independent software vendors (ISVs) that supply point-of-sale (POS) and property management system (PMS) solutions, as well as payment device manufacturers and processors as they transition to EMV in the U.S. We can also simplify the process for merchants who are implementing new solutions or planning to change devices or processors.

Shift4's flexibility and unique infrastructure allow us to reduce the time, expense, and stress of the EMV transition for everyone involved.

Click on one of the menu options below to learn how we can help you:

MerchantsISVsDevicesProcessorsCard Brands

EMV: What It Is and What It’s Not

U.S. EMV is coming. Are you prepared? In the simplest terms, EMV is a special chip embedded on a credit or debit card that helps to prevent card-present fraud. The EMV chip prevents counterfeiting, skimming, and the use of lost or stolen credit or debit cards. The specification for EMV chips was first created in 1994 by the credit card brands Europay, MasterCard, and Visa (EMV) and is now owned by American Express, JCB, MasterCard, UnionPay, and Visa. For more than two decades, EMV chip cards have been in use in every major market in the world – except the U.S.

What It Is: More specifically, EMV defines how a payment terminal interacts with a chip card. The EMV chip, which is similar to a cell phone SIM card, is embedded on a credit card. When properly implemented, the EMV card will authenticate each transaction, preventing card-present fraud. In the U.S., each credit card brand has developed its own chip-functionality specifications and theoretically, for the convenience of both consumers and merchants, U.S. EMV chip cards will retain a magnetic stripe for a few years until EMV adoption is 100%. But note, even in areas where EMV has been implemented for years, not a single EMV-compliant country has reached 100% adoption.

While most global markets have required that EMV cards be issued with PINs (known as chip and PIN), the U.S. market is unregulated and the credit card issuers may adopt signature verification at the point of sale, known as chip and signature, instead of a PIN. This has benefits in terms of not requiring consumers to memorize another PIN and not requiring PIN devices at restaurants, but it also has major drawbacks, namely that a PIN is a much more secure verification of a cardholder than a signature.

However, the largest benefit of EMV is in its ability to allow an EMV-capable device to write a security code to an EMV chip whenever a transaction is completed. This technology allows for any unusual activity in the card’s card-present transaction history to disable the card, which will prevent fraudulent card-present transactions from taking place. Another benefit is that because EMV chips are used worldwide, issuing EMV chip cards in the U.S. will allow for improved global credit card acceptance.

What It’s Not:EMV is not a cure-all for security – Merchants will still need to foster daily security practices and implement layered security with technologies like our True P2PE™ and TrueTokenization® solutions to protect their environment from fraud and breaches.

EMV is not a new technology – EMV has been in use for more than 20 years and as of the end of 2013, according to EMVCo, more than 2 billion EMV cards were already in use worldwide prior to the start of U.S. EMV migration.

EMV is not a foolproof solution for preventing fraud – Has credit card fraud disappeared from those countries? Actually, no. Card-present fraud has been greatly reduced, but because EMV is not universally accepted and does not secure card-not-present fraud, EMV is no silver bullet for preventing fraud. In countries where EMV has been implemented, the frequency of card-not-present fraud has risen.

EMV is not a complete replacement for the magnetic stripe – Payments industry experts predict that the EMV migration in the U.S. won’t be completed until 2020. Even in areas where EMV has been implemented since 1994, there is still not 100% market saturation. This means that there are still many places where non-EMV cards are accepted.

EMV is not a method for preventing breaches – EMV is specifically a tool to help prevent card-present fraud. Most EMV-capable payment devices still output clear text data, which means that your environment is just as susceptible to breaches after implementing EMV – unless technologies like True P2PE and TrueTokenization are in use.

EMV is not a mandate – There is not a requirement that merchants become EMV compliant. Unlike the PCI DSS and PA-DSS, which are PCI requirements for merchants who want to accept credit and debit cards, the EMV specification is a capability for card acceptance recommended by the card brands. This recommendation involves a shift in liability that will make the “weak link in the EMV capability chain” liable for any fraudulent transactions that are not processed according to the EMV specification, meaning that instead of the banks being liable for instances of fraud, it may shift to the bank, processor, or merchant, if those organizations do not have EMV in place.

Shift4 makes getting ready for U.S. EMV easy for ISVs with a simple certification for EMV. Here’s how:

Shift4’s Universal Transaction Gateway® (UTG®) controls the payment devices connected to it, so ISVs who are currently certified with Shift4 for debit will be able to offer U.S. EMV without making any significant changes to their existing software.

Because of the UTG’s device control, ISVs certified with Shift4 will automatically receive EMV certifications for each device and processor we support, so there is no need for them to do a separate certification for each device. This saves ISVs about six months of development time (approximately $250,000 or more) plus certification fees (which can vary from $4,000 to $15,000 per pass) for each device and processor.

The UTG also offers no-cost, no-hassle system updates, including updates to stay compliant with the industry’s regulations, resulting in approximately $100,000 cost savings or more in ongoing development costs.

In Canada – and now in the U.S. – Shift4’s PA-DSS-validated UTG stands in the place of the POS or PMS solution in the certification process as the payment application of record. This means ISVs can focus their time and money (and development cycles) on other features.

Our full suite of technologies allows vendors to often entirely remove their application from PCI DSS scope – meaning costly PA-DSS validations may no longer be required.

Because Shift4’s integrations to the various POS and PMS solutions allow us to stand in for them as the payment application of record, we have the ability to also stand in for the POS and PMS solution in EMV certifications. This means that after we’ve certified a device to a given processor, it is certified no matter which POS or PMS solution a merchant uses (so long as they are integrated to DOLLARS ON THE NET). This can save payment device manufacturers months of work and tens of thousands of dollars. Also, it gets certified devices to market faster.

Shift4 satisfies the 600+ flows required by the processors for EMV certification with a simplified, "one-and-done" approach. When device manufacturers certify a device with us – once – they’re good to go.

Certifying a payment device with Shift4 will increase exposure to merchants across every industry in North America. We work with more than 24,000 merchants across over 100,000 locations throughout the U.S., Canada, and the Caribbean.

Shift4 provides payment device manufacturers with freedom for innovation when adding new features and capabilities. Because our unique technologies allow us to stand in for POS and PMS solutions and control the payment devices, all of our integrated POS and PMS solutions will support new device upgrades with no development required from the POS or PMS solution vendor, so long as Shift4 supports the new features. This means innovations can reach more locations, more quickly.

Are Your Payment Devices Certified With Shift4 for EMV?

Contact Shift4 today to ensure your payment device is certified with Shift4 for U.S. EMV. And, check our EMV microsite for regular updates as we continue to prepare our merchant customers and business partners for the migration to U.S. EMV.

Shift4 will do the legwork of certifying payment devices and ISVs for EMV so processors won't have to, saving you time and money. This means that if you certify with Shift4, we will help you reach tens of thousands of merchants who are looking for an EMV-ready solution that works with their POS or PMS solution. (We can also make it simple for merchants to switch to EMV-ready processors who have certified with Shift4.)

Because Shift4 replaces the POS or PMS solution as the payment application of record, a certification to us gives a processor access to our full network of integrated POS and PMS solutions (350+ and growing), payment devices from all the leading manufacturers, and merchants who are looking for a certified, secure EMV solution.

Are You Ready for EMV?

Processors, make sure you put Shift4 at the top of your list for EMV certification. Certifying Shift4 for EMV will save you time and money on EMV certifications and help connect you to Shift4’s integration partners and merchant customers. Contact Shift4 today.

Shift4 Makes EMV Easy for the Credit Card Brands

Shift4 makes the process of preparing for U.S. EMV easier for the credit card brands. Here’s how:

If card brands (e.g., Visa, MasterCard, etc.) encourage their vendors to partner with a payment gateway like Shift4’s, it will help to get the U.S. market ready for EMV faster. This is because Shift4 provides processors and payment device manufacturers the help that they need to prepare for EMV and connects them with merchants who desire EMV readiness, as well as the best payment and security solutions.

We understand that EMVCo wants global interoperability of chip-based payment cards. Shift4 offers the best solution since we are proudly bank and processor neutral and are dedicated to reducing the complexities of the U.S. EMV migration for everyone involved.

Connect With Shift4

Check our EMV microsite for regular updates as we continue to prepare our merchant customers and business partners for the migration to U.S. EMV. And, if you have any questions, you can contact Shift4 today.

Last month, Shift4 was approached by Retail Realm, one of our long-time partners with a request to put together an EMV 101 webinar for their resellers. The event was a great success and we were able to share the expertise of Shift4’s VP of Business Development, Bob Lowe, who has been part of EMV migration projects in Australasia, Europe, Canada, and now the U.S.

Since the webinar, we have been contacted by dozens of payments industry professionals who are looking for answers and assistance as they work with merchants to prepare for the October 1, 2015 EMV liability shift date. Based on what we’ve heard so far, we’ve put together a Shift4 EMV Q&A of the most common questions from resellers, VARS, and other potential partners.

Which U.S. Processors work today with EMV?

All processors are adding support for EMV, and are in various stages of readiness. While the exact order is subject to change due to customer demand, processor responsiveness, and a number of other potential factors, Shift4’s current plan is to support U.S. processors in the following order:

1-Global/AMEX

2-TSYS

3-First Data

4-Chase

5-Elavon

6-Vantiv

7-RBS WorldPay

8-Heartland

9-First Caribbean International Bank

10-First Hawaiian Bank

How does EMV work for a customer using a virtual terminal?

EMV requires transactions to be entered through an approved payment device. If the virtual terminal solution can work with an EMV device, it can be used. Shift4 is working with device manufacturer ID TECH to ensure our VT4 mobile payments solution (which includes virtual terminal functionality – and much more) will be EMV capable before October. However, most other virtual terminal solutions have the card data entered through the virtual terminal application and would then be considered manual-entry or swiped transactions, which would not qualify as EMV transactions.

Does Shift4 handle settling or batching transactions or is it still done by Microsoft Dynamics RMS ?

Shift4 handles the batching and settling of transactions, relieving RMS from those responsibilities. RMS simply marks the transaction as ready to settle and Shift4 takes care of everything else.

With the U.S. not mandating PIN as part of EMV, will we see EMV devices without the keypad?

Yes, these are coming. The terminals that we will initially see from companies like Ingenico and Verifone are devices that have been used in Europe and Canada where PIN is a requirement. Based on the U.S. PIN-less flow, we are now starting to see plans for devices that have no keyboard. Some are calling them “three-in-one” devices because they accept chip, swipe, and contactless transactions. We expect these devices will be commonly used on mobile devices where the three-in-one device is plugged into the audio jack (or in the future, lightning/micro-USB port) of a phone or tablet.

Does Shift4 operate in the Caribbean?

Yes. Shift4 supports both First Data South and First Caribbean International Bank as processors in the region.

Is Shift4 a gateway and then the customer signs up for a processor separately?

Yes.

Is there any change in the end-user customer’s liability when they receive an EMV card?

The cardholder’s liability is unchanged with EMV. The EMV liability shift applies to merchants, card issuing banks, and processors, and basically states that whichever entity breaks the EMV chain (i.e., is not ready to accept the EMV transaction), becomes financially liable for any fraud committed in that transaction.

Which payment devices are approved by Microsoft RMS that support EMV and NFC?

Shift4’s proprietary Universal Transaction Gateway® (UTG®) controls the EMV devices. Therefore, it is Shift4’s certification – and not Microsoft’s – that determines whether or not a specific device will be supported. Currently, Shift4 is seeking certifications for the Ingenico iPP320 and iPP350, along with the iSC Touch 250, iSC Touch 350, and iSC Touch 480. Shift4 is also certifying the Verifone MX915 and MX925 devices. All of these devices support EMV, NFC, and P2PE. Additional devices may be considered and added as needs arise.

What is the cost of DOLLARS ON THE NET?

Shift4 charges on a pennies per transaction basis with discounts for significant volume.

Would any credit card transactions be stored on the POS?

With Shift4’s solutions in place, the POS would continue to store transactions, but the transaction would no longer contain sensitive cardholder data. In fact, when used with Shift4, RMS, Retail Realm Essentials, and AX for Retail never store, process, or transmit sensitive credit card data.

How do we protect our customers’ investment in these devices in terms of future-proofing? Will these devices be capable of receiving remote updates to keep up with new rules or new capabilities?

All of the devices we are currently certifying support remote updates. Shift4’s UTG can push these updates as necessary.

How does EMV affect card-not-present transactions?

The EMV changes only impact card-present transactions; card-not-present transactions will work exactly as they do now.

Is the signature collection process going to be different with EMV? There are rumors that EMVco is going to require signatures to be collected on paper.

We are not aware of any paper signature requirements for EMV. With EMV, the cardholder signature will be used exactly as it is now – for chargeback defense. While PIN has been required in most countries that have implemented EMV (hence the nickname “chip and PIN”) in the U.S. it appears that most issuing banks are opting to only support signature authentication. Logic within the card will prompt the terminal to display either a PIN entry or a signature capture. If a signature-capture-capable device is in use, Shift4 will trigger the device to display a signature line. If the cardholder declines to enter it electronically, or the terminal doesn’t support signature capture, the printed receipt will automatically include a signature line for the customer to sign on. The transaction will go through regardless of whether the signature is actually captured, but in the event that the cardholder contests the transaction and the merchant cannot show a signature (physical or digital) the chargeback will fail.

Does Shift4 support tokenization for recurring transactions?

Yes. Shift4’s TrueTokens® may be securely stored within the POS application for use in recurring transactions.